混合检索增强生成中的检索枢纽攻击：测量与缓解从向量种子到图扩展的放大泄露 (Retrieval Pivot Attacks in Hybrid RAG: Measuring and Mitigating Amplified Leakage from Vector Seeds to Graph Expansion)

Hybrid Retrieval-Augmented Generation (RAG) pipelines combine vector similarity search with knowledge graph expansion for multi-hop reasoning. We show that this composition introduces a distinct security failure mode: a vector-retrieved "seed" chunk can pivot via entity links into sensitive graph neighborhoods, causing cross-tenant data leakage that does not occur in vector-only retrieval. We formalize this risk as Retrieval Pivot Risk (RPR) and introduce companion metrics Leakage@k, Amplification Factor, and Pivot Depth (PD) to quantify leakage magnitude and traversal structure. We present seven Retrieval Pivot Attacks that exploit the vector-to-graph boundary and show that adversarial injection is not required: naturally shared entities create cross-tenant pivot paths organically. Across a synthetic multi-tenant enterprise corpus and the Enron email corpus, the undefended hybrid pipeline exhibits high pivot risk (RPR up to 0.95) with multiple unauthorized items returned per query. Leakage consistently appears at PD=2, which we attribute to the bipartite chunk-entity topology and formalize as a proposition. We then show that enforcing authorization at a single location, the graph expansion boundary, eliminates measured leakage (RPR near 0) across both corpora, all attack variants, and label forgery rates up to 10 percent, with minimal overhead. Our results indicate the root cause is boundary enforcement, not inherently complex defenses: two individually secure retrieval components can compose into an insecure system unless authorization is re-checked at the transition point.

翻译：混合检索增强生成（RAG）流水线将向量相似性搜索与知识图谱扩展相结合，以实现多跳推理。本文揭示这种组合引入了一种独特的安全失效模式：通过向量检索得到的“种子”片段可经由实体链接作为枢纽，进入敏感的图谱邻域，从而导致纯向量检索中不会出现的跨租户数据泄露。我们将此风险形式化为检索枢纽风险（RPR），并引入配套指标Leakage@k、放大因子和枢纽深度（PD）以量化泄露规模与遍历结构。我们提出了七种利用向量-图谱边界的检索枢纽攻击，并证明无需对抗性注入：自然共享的实体即可有机形成跨租户枢纽路径。在合成的多租户企业语料库和Enron邮件语料库中，未加防御的混合流水线表现出高枢纽风险（RPR最高达0.95），每次查询返回多项未授权条目。泄露始终出现在PD=2处，我们将其归因于片段-实体的二分拓扑结构，并以命题形式加以形式化。随后我们证明，仅在单一位置——图谱扩展边界——实施授权检查，即可在两种语料库、所有攻击变体及高达10%的标签伪造率下，基本消除测得的泄露（RPR接近0），且开销极小。我们的结果表明根本原因在于边界授权机制：两个各自安全的检索组件若未在过渡点重新进行授权检查，可能组合成一个不安全的系统。